In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace. Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise...… Continue Reading

In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace. Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise compromised, cannot be changed to avoid misuse. Under Article 9 of the GDPR, biometric data collected “for the purpose of uniquely identifying a natural person” is considered “sensitive” and warrants additional protections. The GDPR authorizes Member States to implement such additional protections. As such, the French Data Protection Act 78-17 of 6 January 1978, as amended, now provides that employers – whether public or private – wishing to use biometric access controls must comply with binding model regulations adopted by the CNIL, the first of which is the Model Regulation.

The Model Regulation, which the CNIL finalized and adopted following a public consultation, specifies robust requirements for the processing of biometric data for workplace access controls. Such access controls include the use of a biometric authentication system to allow entry into the workplace (or sensitive workplace areas) or access to certain databases, equipment or computer networks. Below are some of the key aspects of the Model Regulation:

Justify the use of biometrics: The Model Regulation requires employers to justify the use of biometrics based upon the specific context of the workplace (e.g., the presence of dangerous machinery, valuables, confidential materials, or products subject to strict regulation) and demonstrate why the use of other traditional authentication devices (e.g., badges or passwords) is not adequate from a security standpoint. Such justification must be expressly documented by the employer, including the rationale for selecting one biometric feature over another for authentication. The Model Regulation also outlines the various types of biometric access control systems – based on the method of data transmission and storage – and the accompanying data security risks of holding the biometric templates in a central database. It states that only critical environments would warrant stronger protections involving central databases holding biometric template data. Otherwise, the biometric data must be stored on a medium which would remain under the individual’s exclusive possession (e.g., badges or smart cards) without any durable copies retained by the employer or its service providers.

Maintain strong data security: The Model Regulation details many ways in which employers must maintain robust organizational and technological data security procedures. The enumerated security measures relate to the data, organization, hardware, software and computer channels, and the employer must audit, at least annually, the implementation of these measures. The Model Regulation also stipulates maximum retention periods for biometric data. For example, raw biometric data (such as a photo or audio recording) cannot be retained any longer than necessary to create a biometric template that can be analyzed by the system’s software. Moreover, any resulting biometric templates must be encrypted and eventually deleted once an employee no longer works at the organization. The Model Regulation also outlines the types of individual personal data that may reside on a biometric control device and the types of log data that may be collected.

Remember GDPR obligations: Beyond the Model Regulation, employers must still comply with applicable provisions of the GDPR with regard to any biometric access control system. Such compliance might include data breach notification obligations, recordkeeping requirements and compliance with the individual’s data protection rights. Specifically, the CNIL noted that the collection of biometric data for access control is likely to create a high risk for the rights and freedoms of the individuals. In light of that, a data protection impact assessment must be carried out by the employer/data controller prior to the implementation of any biometric access control and updated at least every three years.

The above summarizes some of the principal aspects of the Model Regulation at a high level and, as such, the language of the Model Regulation and the CNIL’s FAQ providing for additional practical commentary beyond the text of the Model Regulation should be read closely for specific requirements before instituting biometric access controls within the scope of the Model Regulation.

We note that the protection of biometric data also garners attention in the U.S., where several states have enacted biometric privacy statutes, most notably Illinois, whose statute contains a private right of action and has produced a wave of biometric privacy suits, including those against employers for using biometric timekeeping devices without adequate notice and consent. Back in the EU, the Model Regulation for biometric access controls in the workplace may conceivably serve as a model for other Member States to follow, and we will continue to follow such potential developments and further actions by the CNIL.

Per our previous post, the European Parliament and the Member States agreed to adopt new rules that would set the standard for protecting whistleblowers across the EU from dismissal, demotion, and other forms of retaliation when they report breaches of various areas of EU law. According to a press release issued by the European Parliament...… Continue Reading

Per our previous post, the European Parliament and the Member States agreed to adopt new rules that would set the standard for protecting whistleblowers across the EU from dismissal, demotion, and other forms of retaliation when they report breaches of various areas of EU law. According to a press release issued by the European Parliament on April 16, 2019, the Parliament approved these changes by an overwhelming majority. The new rules require that employers create safe reporting channels within their organization, protect whistleblowers who bypass internal reporting channels and directly alert outside authorities, including the media under certain circumstances, and require that national authorities provide independent information regarding whistleblowing. This legislation marks a significant departure from the jurisdiction-specific approach that has resulted in disparate protection across Europe, with some jurisdictions, like Germany and France, offering relatively limited protection when compared to other jurisdictions, such as the UK. These changes, if approved by the EU ministers, will set a uniform baseline and therefore considerably increase whistleblower protections in the EU. Member States will have two years to achieve compliance. For an additional discussion as to the implications of this legislation, see this article by The New Times. We will continue to monitor this development.

According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform, which was first proposed by...… Continue Reading

According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform, which was first proposed by the European Commission in April 2018, seeks to replace the patchwork of whistleblower protections that currently exist across the Member States with a uniform approach. If formally adopted by the Parliament and Council, the new rules would protect those who report violations of various areas of EU law, including data protection, and Member States could extend protection to other areas of the law as well. Employers would have an obligation to create safe reporting channels within the organization, and whistleblowers, while encouraged to report internally first, also would be protected when reporting to public authorities. Additionally, whistleblowers could safely report violations directly to the media if no action was taken, if a report to the authorities would be futile, or when the violation is an “imminent” or “manifest” danger to the public interest. Lastly, the new rules would require that national authorities inform citizens and train public authorities on various aspects of whistleblowing. We will continue to monitor this development.

Uncertainty regarding the compatibility of blockchain technology and the European Union’s General Data Protection Regulation (GDPR) has often been highlighted as a potential obstacle to the development and widespread implementation of blockchain systems involving personal data. To address tensions between blockchain technology and the GDPR, Commission Nationale de l’Informatique et des Libertés (CNIL), the French...… Continue Reading

Uncertainty regarding the compatibility of blockchain technology and the European Union’s General Data Protection Regulation (GDPR) has often been highlighted as a potential obstacle to the development and widespread implementation of blockchain systems involving personal data.

To address tensions between blockchain technology and the GDPR, Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection regulator, published an initial report analyzing certain fundamental questions regarding the interaction between blockchain technology and the GDPR’s requirements (the “Report”). The Report was the first guidance issued by a European data protection regulator on this topic.

]]>Blockchain, Personal Data and the GDPR Right to be Forgottenhttps://privacylaw.proskauer.com/2018/05/articles/gdpr/blockchain-personal-data-and-the-gdpr-right-to-be-forgotten/
Thu, 03 May 2018 14:19:32 +0000https://privacylaw.proskauer.com/?p=2881Nicole Kramer

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data...… Continue Reading

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

In a landmark decision, a nine judge bench of the Supreme Court of India ruled today that privacy is a fundamental right protected by the Constitution of India. Background Due to the volume of cases brought before the Supreme Court of India, cases are generally heard by benches consisting of a subset of the ten...… Continue Reading

In a landmark decision, a nine judge bench of the Supreme Court of India ruled today that privacy is a fundamental right protected by the Constitution of India.

Background

Due to the volume of cases brought before the Supreme Court of India, cases are generally heard by benches consisting of a subset of the ten justices of the Supreme Court. The question of whether there is a constitutionally protected right to privacy arose in a 2015 case brought before a three judge bench of the Indian Supreme Court challenging the legal validity of the Government of India’s Aadhaar program. Under the Aadhaar program, the Unique Identification Authority of India (UIDAI), an Indian government authority, is charged to assign a twelve digit unique identification number (UID) to each of the over 1.3 billion residents of India. Each resident’s UID is linked to certain biometric information of the resident including his/her photograph, fingerprints and iris scans. The UIDs are used by the government for a variety of purposes including to eliminate fraud in connection with the dispensing of benefits under various government welfare programs. The three judge bench in the Aadhaar case determined that to assess the case appropriately, a determination of whether the right to privacy is a fundamental right protected by the Constitution of India was required by a larger bench of Indian Supreme Court justices. Given that the 1954 case of M.P. Sharma et al. v. Satish Chandra, District Magistrate, Delhi et al. holding that privacy is not a right guaranteed by the Indian Constitution was decided by an eight judge bench, a larger bench of nine Supreme Court justices was convened to determine whether the rationale of the M.P. Sharma judgment and others which similarly found that the Indian Constitution does not guarantee a right of privacy was based on “jurisprudential correctness.” This bench of nine justices of the Indian Supreme Court listened to arguments presented over six long days spread over three weeks.

The Judgment

Today’s 547 page judgment by the Supreme Court of India consists of one opinion signed by four justices and five separate concurring opinions. It reads like a tome on the theory and jurisprudence of privacy law. The judgment includes a comparative analysis of privacy laws and court judgments of the United Kingdom, the United States, South Africa, Canada, the European Union and the treatment of privacy under the European Convention on Human Rights, the European Charter and the Inter-American Court of Human Rights. It also considers critiques of the privacy doctrine and existing Indian case law containing conflicting views on whether privacy is a fundamental right protected by the Indian constitution.

The extensive analysis conducted by the bench has rendered a decision that is unequivocal: “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 [of the Indian Constitution] and as part of freedoms guaranteed by Part III of the Constitution.”

Part III of the Indian Constitution is India’s “bill of rights” which enumerates the fundamental rights guaranteed by the Indian Constitution. Article 21 states “No person shall be deprived of his life or personal liberty except according to procedure established by law.”

In today’s ruling, the court states that life and personal liberty are not creations of the Constitution they are “rights that are recognized by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within” and that “privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution.” The court goes on to state that “privacy is the constitutional core of human dignity” before clarifying that like all of the fundamental rights enumerated in Article III of the Indian Constitution, the right to privacy is not an absolute right but rather is subject to permissible restrictions on fundamental rights. A law which encroaches on the right to privacy may be valid if it is otherwise legal, it fulfills a legitimate aim of the state and it is based upon a rational connection between the objective of the law and the means adopted to achieve the objective.

Impact

Whether this case will affect the legality of the Aadhaar program remains an open question. The court does state in its judgment that the state may have justifiable reasons for the collection and storage of data and that objective of ensuring that resources are properly deployed to legitimate beneficiaries is a valid ground for the state to insist on the collection of data. If data collected under the Aadhaar program is used for legitimate state interest and not for purposes unrelated to a legitimate state interest, the program, and the collection of personal and biometric information through the program, may be held to be legal.

Apart from the impact this case may have on deciding the legality of the Aadhaar program, the case may also impact how future cases dealing with other issues such as gay rights and abortion may be decided by recognizing that privacy includes matters to sexual orientation and procreation.

Further, as part of its judgment, the court has identified the need for the Government of India to examine and put into place a robust regime for data protection. Accordingly, today’s judgment may lead to the further development of privacy laws and regulations in India.

We will continue to monitor the development of privacy laws in India and publish updates here as appropriate.

Proskauer has released a white paper on “What Employers Need to Know about Europe’s General Data Protection Regulation.” As you may know, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (“GDPR”), which will replace the EU’s current data privacy standard and begin to apply on May 25, 2018. This paper...… Continue Reading

Proskauer has released a white paper on “What Employers Need to Know about Europe’s General Data Protection Regulation.” As you may know, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (“GDPR”), which will replace the EU’s current data privacy standard and begin to apply on May 25, 2018. This paper provides a broad overview of the ways in which the GDPR will change data protection regulations across the EU, focusing on employee data and how it is treated differently from consumer data. This paper also highlights key areas of change from the current state of the law and suggests proactive steps an employer may take to better prepare for May 25, 2018. This is meant as a guide to assist employers with planning for and achieving compliance before the May 25th deadline. EU data privacy is an enormous challenge for multi-national companies, and many U.S. based companies doing business in the EU are struggling with what they need to do in order to get into compliance with the GDPR with respect to collecting, processing and transferring employee data. To read Proskauer’s full white paper titled, “What Employers Need to Know about Europe’s General Data Protection Regulation” please click here.

This post provides an update as to the current status of official GDPR-related guidance. With a little under a year remaining until the European Union’s General Data Protection Regulation (GDPR) becomes enforceable, companies are on the lookout for any interpretive guidance from EU or member state authorities that will help them focus their compliance efforts....… Continue Reading

This post provides an update as to the current status of official GDPR-related guidance. With a little under a year remaining until the European Union’s General Data Protection Regulation (GDPR) becomes enforceable, companies are on the lookout for any interpretive guidance from EU or member state authorities that will help them focus their compliance efforts. The EU’s Article 29 Working Party (WP29) thus far has adopted guidelines relating to data portability, the identification of lead supervisory authorities, and the role of data protection officers, and has issued draft guidelines on data protection impact assessments (DPIAs, also known as “Privacy Impact Assessments”). Additionally, EU member states – led by Germany –are beginning to pass laws meant to complement the GDPR and legislate in areas the GDPR leaves to the member states. These laws also provide some clues as to how the GDPR will take effect on a country-by-country basis.

Guidance from the Article 29 Working Party

As mentioned above, in December 2016 the WP29 published draft guidelines on three new topics the GDPR introduced into EU law: data portability, the “one stop shop” system designed to facilitate the identification of lead supervisory authorities, and the role of data protection officers. The WP29 ultimately adopted revised versions of these guidelines in April 2017. The revised guidelines addressed a few important issues the draft versions left unaddressed or unclear, and included the following points, among others:

A recommendation that a company’s data protection officer be located in Europe;

Additional emphasis on the WP29’s position that, for purposes of data portability, a user’s “personal data” includes information gathered based on the data subject’s activity, “such as raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities;”

A characterization of a company’s “main establishment,” for “one stop shop” purposes, as not only “the place where decisions about the purposes and means of the processing of personal data are taken,” but as the “place [that] has the power to have such decisions implemented.”

The WP29 also published draft guidelines on DPIAs in April 2017. Article 35 of the GDPR requires controllers to carry out a DPIA “[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.” Accordingly, these draft guidelines focus largely on providing advice about types of processing that are “likely to result in a high risk to the rights and freedoms of natural persons,” and provide a list of factors a controller should consider in making the determination as to whether a DPIA is needed. The list suggests that controllers consider, among other things, whether their processing entails “[e]valuation or scoring” (which would include, for example, a bank screening its customers against a credit reference database), the processing of sensitive data, or whether the data being processed will be transferred out of the EU to a country with less-stringent data protection laws (which would include, in the eyes of the EU authorities, the US). The guidelines state “a[s] a rule of thumb” that a processing operation that implicates more than two of these factors will require a DPIA, while processing that implicates fewer than two of these factors will not, although the document also allows that in some cases, a processing operation that touches upon only one of these factors nevertheless may still pose enough of a risk to warrant a DPIA. The guidelines also suggest that a DPIA of any processing activity be re-assessed every three years, and that controllers should consider making available parts (if not all) of the DPIA to the public.

The public comment period for these draft DPIA guidelines closed in May, so the WP29 should be adopting a finalized set of guidelines in the coming months. In the meantime, the WP29 has committed to providing additional GDPR guidance over the next year, although the prospective publication dates remain unclear at this point.

Guidance from the UK’s Information Commissioner’s Office (ICO)

Not content to wait for the WP29’s guidelines on consent, the UK’s ICO published its own draft guidance on the subject in March of 2017. The draft guidance helpfully spells out the differences between the current Directive’s conception of consent and the GDPR’s expectations related to the same. Specifically, the ICO guidance stresses that under the GDPR, companies will need to revise their consent mechanisms in order to obtain “more granular” consent. In other words, a company must provide data subjects with specific consent options for various types of processing. Furthermore, because consent must be informed in order to be considered valid, the company must provide data subjects with notice as to the nature of the different types of processing, including the extent of the processing activities and the purposes of the processing.

The guidance also emphasizes the importance of adopting “simple easy-to-access ways for people to withdraw consent.” The guidelines advise that the withdrawal of consent should be “an easily accessible one-step process” that makes it just as easy for the data subject to withdraw consent as it was for the data subject to give consent. One example of such an “easily accessible” process, at least for any customers that gave consent via an online form, would be to provide another online form for withdrawing consent that is available from a link at the bottom of every webpage.

Although the UK currently is in the process of negotiating its Brexit from the EU, the UK likely will retain many of the GDPR’s provisions. Therefore, despite the fact that the UK may no longer be an EU member state a few years from now, the ICO’s guidance still may be considered helpful.

New Data Protection Law in Germany

At the end of April 2017, the German Parliament passed a new Federal Data Protection Act (formally known as the Bundesdatenschutzgesetz, and typically abbreviated as the BDSG). Although the GDPR is directly applicable in the EU member states and does not require any implementing legislation in order to become law, the BDSG is meant to ensure that German law is in line with the GDPR’s requirements. Additionally, the GDPR allows the member states to legislate in particular areas, which will lead to some legal variations in privacy law across the EU. The BDSG therefore also implements some of those allowable variations into German law and helpfully illuminates the legal areas in which some of the EU member states will diverge from one another once the GDPR becomes enforceable. For example, the BDSG leaves in place provisions from the previous BDSG (which had been in place in Germany for decades) regarding employee data protection, which is an area the GDPR allows the member states to regulate themselves.

It is worth emphasizing that the BDSG is a law, rather than a set of guidance from regulators, and therefore companies operating in Germany should consider consulting with local counsel in order to understand how the new law may impact their operations in the country.

Please check back for updates and analysis as European regulators continue to issue guidance related to the GDPR.

China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017,...… Continue Reading

China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance. However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally. This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.

First things first: what is the current state of data protection law in China?

Like the United States – and unlike an increasing number of countries around the world – China does not have an omnibus data protection law. Instead, it regulates privacy and cybersecurity issues through a number of industry-specific laws, such as the Practicing Physicians Law, Commercial Banking Law, Postal Law, and the Provisions on the Protection of Personal Information of Telecommunication and Internet Users. Additionally, China does not have a single central data protection authority charged with enforcing privacy laws. The lack of a centralized data protection authority means that it can be more difficult to keep up with enforcement actions and the issuance of any legal guidance, especially for foreign companies unfamiliar with the Chinese legal environment. This panoply of laws and authorities makes China a relatively complex jurisdiction in which to operate from a data protection standpoint.

Further complicating matters is the fact that the Cybersecurity Law was passed in the wake of two other significant laws: the National Security Law and the Anti-Terrorism Law. These three laws operate in tandem to regulate many aspects of cybersecurity and privacy law in China, while potentially giving the Chinese government broader surveillance powers. Generally speaking, the vaguely-worded National Security Law, which has been called out by the UN High Commissioner for Human Rights for its “extraordinarily broad scope,” permits the government to take “all necessary” steps to guard China’s sovereignty (including, it is speculated, by implementing wide-ranging surveillance measures). Meanwhile, the Anti-Terrorism Law requires telecom and Internet providers to allow access and grant other forms of assistance (such as decryption) to government authorities to prevent and investigate terror attacks. In short, China’s new Cybersecurity Law adds an additional wrinkle to an already complex matrix of data protection laws and regulations, at least some of which are ostensibly meant to defend against threats (real or imagined) to China’s sovereignty.

What’s the nature of the new Cybersecurity Law? Is it an omnibus law like the EU Data Privacy Directive?

Not exactly. The Chinese legislature passed the new Cybersecurity Law in November of last year after public consultation on several previous drafts of the legislation, although the law does not actually go into effect until June 1, 2017. Recently, on April 11, the government released the Draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data, which is intended to be a major set of implementation rules of the Cybersecurity Law (“the “Draft Implementation Rules”). The Draft Implementation Rules, if finalized, would impose additional restrictions on certain transfers of data out of China (as discussed in further detail below). While not an omnibus law that regulates all aspects of privacy and cybersecurity across every industry, the Cybersecurity Law nevertheless has a wide scope and contains provisions relating to both privacy and cybersecurity.

Will the Cybersecurity Law Apply to my company?

At the outset, it is important to understand that not every aspect of the law applies universally to all companies. Many of the law’s key provisions only apply to two types of companies: “network operators” and “critical information infrastructure” (“CII”) providers. However, these categories are defined quite broadly and may have a wide-ranging scope in practice, so even companies that would not ordinarily consider themselves network operators or CII providers may be swept up by these definitions.

The Cybersecurity Law defines “network operators” broadly – the category includes network owners, administrators, and service providers. The law therefore suggests that any company that maintains a computer network, even within its own office, could qualify as a “network operator” – an interpretation expansive enough to include a large number of companies. Companies based outside of China that use networks to conduct business within China also may be swept up by this definition.

“Critical Information Infrastructure” providers are defined a bit more narrowly, but the law still casts a fairly wide net. CII providers generally are viewed as those that provide services that, if lost or destroyed, would damage Chinese national security or the public interest – the law names information services, transportation, water resources, and public services, among other service providers, as examples. The government has the ultimate say in which types of companies may qualify as CII providers, as the law makes the State Council responsible for determining the scope of the definition. Naturally, questions remain: what types of services could damage national security or the public interest if rendered non-operational? What qualifies as “damaging” to national security or the public interest? For the time being, it appears that the definition of “CII provider” could have a fairly wide scope.

It also is important to note that although much of the law is devoted to regulating network operators or CII providers, the law’s applicability is not just limited to those types of entities. The law also sets out more generally-applicable requirements relating to cybersecurity and contains provisions that apply to other types of entities, including suppliers of network products and services.

What are the Cybersecurity Law’s key provisions?

The law covers a range of topics, from privacy of personal information to security standards. Generally speaking, network operators must:

Obtain data subjects’ informed consent to the collection of their personal information, regardless of the prospective uses or types of processing of that data. Whether consent must be express or may be implied currently is unclear;

Keep a log of cybersecurity incidents and retain that log for no fewer than six months;

Implement cybersecurity incident plans;

Remediate any security flaws immediately upon discovery and engage in security maintenance of their services (if the network operator provides a service through its network);

Work within their organizations to ensure the integrity of their network’s security;

Back up and encrypt data.

Meanwhile, CII providers are required to:

Engage in the same cybersecurity practices as network operators, along with some additional requirements, such as conducting reviews of their cybersecurity practices on an annual basis;

Store personal information and “important data” within China (more on this below).

Additionally, the law requires that cybersecurity products must be certified as meeting certain standards (yet to be articulated) before being offered for sale. There is speculation that this requirement serves as a means for the Chinese government to obtain access to certain products and data.

Another important point relates to the definition of “personal data.” While previous drafts of the law defined personal information as belonging only to Chinese citizens, the final draft of the law refers to personal data as belonging to “natural persons.” Accordingly, the law appears to apply to the personal data of non-citizens as well as citizens.

Does the Cybersecurity Law require my company to keep certain data in China?

As we’ve written about in previous posts, data localization laws are a global trend, and they generally require companies that collect certain types of data from a jurisdiction to store and/or process data within that jurisdiction. To that end, the Cybersecurity Law requires “critical information infrastructure” providers to store “personal information” and “important data” within China unless their business requires them to store data overseas and they have passed a security assessment. At this point, it remains unclear what qualifies as “important data,” although its inclusion in the text of the law alongside “personal data” means that it likely refers to non-personal data. The requirement that “important data” remain in-country therefore reflects a recent trend of governments appearing to put a security premium on business or governmental data equivalent to, or even greater than, the concern accorded to individuals’ personal data (for example, Saudi Arabia’s draft cloud computing regulations similarly appear to prize business and governmental data).

Note that this is not the first time China has imposed a data localization requirement, as several preexisting sector-specific regulations prohibit the transfer of certain types of data (i.e. pertaining to financial or health data) outside of China.

It also is important to be aware that the Chinese government has made an effort to expand the law’s restrictions on international data transfers. The Draft Implementation Rules require network operators planning to transfer more than one terabyte of data out of China, or network operators that have collected data on more than 500,000 data subjects, to obtain the permission of the data subjects, as well as pass self-imposed and government-run security assessments, in order to transfer that data out of China. The Draft Implementation Rules allow the relevant enforcement authorities to block the transfer if they believe, in their own discretion, that the transfer would endanger China’s political system, economy, security, or technology. If adopted, the Draft Implementation Rules also would require other individuals and entities seeking to export data from China – even if they are not network operators and even if they are based outside China – to conduct security assessments (self-imposed and/or government-run security assessments as required by the Draft Implementation Rules) of their data exports. If finalized, the Draft Implementation Rules therefore would significantly expand the Cybersecurity Law’s data localization requirements.

What are the penalties for violating the law?

The Cybersecurity Law provides for a maximum fines of RMB1,000,000. Individuals may be subject to personal (albeit lesser) fines as well. The law also gives the Chinese government the ability to issue warnings, confiscate companies’ illegal income, suspend a violator’s business operations, or shut down a violator’s website. Serious violations of the Cybersecurity Law may also incur criminal liability.

Does the law apply in Hong Kong?

No. Under the “one country, two systems” approach, Hong Kong is an entirely separate jurisdiction from Mainland China and has its own privacy and cybersecurity laws. That doesn’t mean, however, that companies based in Hong Kong won’t be subject to China’s Cybersecurity Law if they do business in Mainland China, for the reasons mentioned above.

Anything else I should know about the Cybersecurity Law?

Unfortunately, simply understanding the nature of the Cybersecurity Law, by itself, is not sufficient to determine the scope of a company’s responsibilities under the law. It is important to recognize that the Chinese legislative and legal systems are fundamentally different from their American counterparts, and how this fact impacts the law’s interpretation and implementation. Though a full review of the complexities of the Chinese legal system is outside the scope of this blog post, it is worth noting that, as with other laws in China, the text of the Cybersecurity Law (which currently is not available in the form of an official English translation) may not be the best determinant of its purpose or scope. Understanding the government’s motivations and regulators’ approach to enforcing the law is key, and the best way to develop that understanding is through communicating with regulators and sharing information about best practices with other professionals in the field. Companies concerned about the Cybersecurity Law therefore should consider getting in touch with local counsel in China in order to gain the most up-to-date overview of the law’s scope and requirements.

When Does the Law go Into Effect?

The Cybersecurity Law goes into effect June 1, 2017. In the weeks leading up to and following June 1, companies should be on the lookout for implementing legislation or official guidance clarifying the scope of the law. Check back here for further updates as they become available.

Proskauer litigation associate Courtney Bowman and Jonathan Reardon, head of the Al Khobar, Saudi Arabia office of the Middle East-based firm Al Tamini & Co., recently co-authored an article published by Bloomberg about Saudi Arabia’s draft cloud computing regulations. The article analyzes the draft regulations and their potential impact on cloud service providers seeking to enter or expand their Saudi presence. The article also provides context about the Kingdom’s interest in enhancing its profile in the technology sector as part of a strategy to shift away from being a largely oil-based economy. Click here to read the full article.